Update antispambot to handle multibyte characters.

Author: dmsnell

src/wp-includes/formatting.php

@@ -2904,23 +2904,49 @@ function urldecode_deep( $value ) {
  * Converts email addresses characters to HTML entities to block spam bots.
  *
  * @since 0.71
+ * @since {WP_VERSION} Masquerades multi-byte characters.
  *
  * @param string $email_address Email address.
  * @param int    $hex_encoding  Optional. Set to 1 to enable hex encoding.
  * @return string Converted email address.
  */
 function antispambot( $email_address, $hex_encoding = 0 ) {
+	/*
+	 * Email addresses passed into this function should not contain invalid UTF-8, but if they do,
+	 * enforce the constraint by refusing to print any email address.
+	 */
+	if ( ! wp_check_invalid_utf8( $email_address ) ) {
+		return '';
+	}
+
 	$email_no_spam_address = '';
 
-	for ( $i = 0, $len = strlen( $email_address ); $i < $len; $i++ ) {
-		$j = rand( 0, 1 + $hex_encoding );
+	$at             = 0;
+	$next_at        = 0;
+	$end            = strlen( $email_address );
+	$invalid_length = 0;
+	while ( $at < $end ) {
+		if ( 0 === _wp_scan_utf8( $email_address, $next_at, $invalid_length, null, 1 ) ) {
+			break;
+		}
 
-		if ( 0 === $j ) {
-			$email_no_spam_address .= '&#' . ord( $email_address[ $i ] ) . ';';
-		} elseif ( 1 === $j ) {
-			$email_no_spam_address .= $email_address[ $i ];
-		} elseif ( 2 === $j ) {
-			$email_no_spam_address .= '%' . zeroise( dechex( ord( $email_address[ $i ] ) ), 2 );
+		$character = substr( $email_address, $at, $next_at - $at );
+		switch ( rand( 0, 1 + $hex_encoding ) ) {
+			case 0:
+				$code_point            = mb_ord( $character );
+				$email_no_spam_address .= "&#{$code_point};";
+				break;
+
+			case 1:
+				$email_no_spam_address .= mb_ord( $character );
+				break;
+
+			case 2:
+				for ( $i = 0, $byte_count = strlen( $character ); $i < $byte_count; $i++ ) {
+					$hex_value             = bin2hex( $character );
+					$email_no_spam_address .= "%{$hex_value}";
+				}
+				break;
 		}
 	}